malwarewikiaorg-20200223-history
Christmas Tree
Christmas Tree was an early mass-mailing worm coded in late 1987, whose most prominent feature was an ASCII art Christmas tree. Christmas Tree was the first program to paralyze a network and highlight the need to educate computer users about the dangers of opening strange email attachments. Details The program arrives in an email with the subject line "Let this exec run and enjoy yourself!" with the text "if you receive this run it!". The user must execute the program by typing christma or Christmas. When executed, Christmas Tree displays an ASCII Christmas tree. It then reads the files NAMES and NETLOG files, which contain the addresses of communication partners, and mails itself to every email address in them. Bitnet nodes send a message back to the sender for every file that passes through them. Depending on how many nodes a single copy of the worm passed through until it reached its destination computer, it could generate from one to twenty messages on the sender's screen. With many copies of the worm being sent at once, hundreds of lines could be generated on a user's screen, interrupting work. The Christmas tree looks similar to this: * * *** ***** ******* ********* ************* A ******* *********** VERY *************** ******************* HAPPY *********** *************** Christmas ******************* *********************** AND MY *************** ******************* BEST WISHES *********************** *************************** FOR THE NEXT ****** ****** YEAR ****** A comment inside the Christmas Tree source code contains the comment : (REMEMBER ALWAYS DO WHAT THE FILE TELLS YOU!) browsing this file is no fun at all just type CHRISTMAS from cms The worm will not run on any systems other than VM/CMS. A computer with a REXX interpreter may be able to display the greeting, but NAMES and NETLOG are unique to the VM/CMS system, and therefore the worm will be unable to collect the contact information necessary to replicate itself. Effects The first known infection of Christmas Tree was reported in 1987 on December 9th. Christmas Tree made it onto the EARNet (European Academic Research Network), and from there to BITNET and finally spread to IBM's VNet electronic mail network by December 15th. On Bitnet, it was contained and mostly destroyed by December 14. IBM's VNet was paralysed on 1987.12.17 and brought to a standstill two days later, only getting rid of the worm by shutting down the network. All of the networks it spread on experienced some disruption. In 1990, Christmas Tree resurfaced after being posted to Usenet. IBM was forced to shut down its 350,000-terminal network in order to disinfect the network. Other Facts The worm was created by an unnamed student at the University of Clausthal in former West Germany. The creator was found at least by December 21 and barred from using his system, and it is said he cried. The author said that the damage was unintentional and that the program was written to send Christmas greetings to his friends. Its status as a trojan or a worm is a subject of debate, for many people have made good cases for both sides. Those who believe it is a trojan cite the fact that it requires the user to download and run the attachment to make it replicate. One particularly interesting case says that the worm needs to send a small piece of itself like an exploit to determine if the system is hospitable or not. Currently the Virus Encyclopedia refers to the Christmas Tree program as a worm. The fact that the worm moves from one computer to another (regardless of whether or not it needs a little prodding from the unsuspecting user) is enough to fit our definition of a worm. As for the claim that it must send a small part of itself, like some exploit code, to check if the new system is hospitable or not, just take a look at biological worms on pavement or asphalt after a rainstorm. They certainly do not check if the pavement is a hospitable place to live, or else they would not end up crisp and stuck to it. This definition is open to debate within the encyclopedia. Sources Ross Patterson. The Risks Digest, "Re: IBM Christmas Virus", Volume 5: Issue 80. 1987.12.21 VX Heavens, "Viruses for the "Exotic" Platforms". Otto Stolz. VIRUS-L Digest, Volume 5, Issue 178, "Re: CHRISTMA: The "Card"! (CVP)". 1992.11.12 Bridget Rutty, -, -, Issue 195. 1992.12.02 Wes Morgan. Computer Underground Digest, Volume 2, Issue #2.07. 1990.10.15 Category:Worm Category:Email worm Category:VM Category:VM worm Category:REXX Category:First Category:Mass mailer worm Category:Virus from 1980s